[Opendnssec-develop] ZSK rollovers

Jakob Schlyter jakob at kirei.se
Wed May 5 13:30:33 UTC 2010

This is my current thinking when it comes to what keys are included, signatures are recycled and keys used for signing:

## DNSKEYs included in the resulting zone file

Keys marked as Published should be extracted from the HSM and included in the
signed zonefile.

## Recycling RRSIGs

Signatures for which all the following conditions hold may be recycled:

- Inception time has passed
- Expiration minus Refresh has not yet passed
- The signer key is marked as Publish (i.e., exists in the zone)
- The signer key is not marked as revoked

To let new key signing keys sign the DNSKEY RRset without delay, e.g. for double
signed DNSKEYs, one of the following algoritms can be used:

- If the RRSIG covers a DNSKEY and the set RRSIGs (using the same algorithm)
  does not include signatures by all keys marked as KSK, RRSIGs for that
  DNSKEY may not be recycled.
- Always drop (i.e. not recycle) signatures covering DNSKEYs.

## Generated RRSIG

If there are no valid signatures by a key using the same algorithm as the key
eligible for signing, a new signature must be created. Multiple signatures for
a single RRset may be created if multiple keys has KSK and/or ZSK set.

- Keys marked as KSK are used to sign all DNSKEY resource records.
- Keys marked as ZSK are used to sign all non-DNSKEY resource records.

(N.B. a single key can be marked as both KSK and ZSK)

More information about the Opendnssec-develop mailing list